SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT29

VTCollection    

According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20260504 | Detects win.liteduke.)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.liteduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75fc 8f45f0 c745f402000000 c745e801000000 8d45e8 }
            // n = 5, score = 200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8f45f0               | pop                 dword ptr [ebp - 0x10]
            //   c745f402000000       | mov                 dword ptr [ebp - 0xc], 2
            //   c745e801000000       | mov                 dword ptr [ebp - 0x18], 1
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_1 = { 8b5d08 c70300000000 c7430400000000 c7430801234567 c7430c89abcdef c74310fedcba98 c7431476543210 }
            // n = 7, score = 200
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   c70300000000         | mov                 dword ptr [ebx], 0
            //   c7430400000000       | mov                 dword ptr [ebx + 4], 0
            //   c7430801234567       | mov                 dword ptr [ebx + 8], 0x67452301
            //   c7430c89abcdef       | mov                 dword ptr [ebx + 0xc], 0xefcdab89
            //   c74310fedcba98       | mov                 dword ptr [ebx + 0x10], 0x98badcfe
            //   c7431476543210       | mov                 dword ptr [ebx + 0x14], 0x10325476

        $sequence_2 = { 5a 8d928df4ffff c70201000000 8b3e 09ff 742a 8b4604 }
            // n = 7, score = 200
            //   5a                   | pop                 edx
            //   8d928df4ffff         | lea                 edx, [edx - 0xb73]
            //   c70201000000         | mov                 dword ptr [edx], 1
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   09ff                 | or                  edi, edi
            //   742a                 | je                  0x2c
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_3 = { 5a 8955f8 895dec 51 e8???????? 59 8d89d4faffff }
            // n = 7, score = 200
            //   5a                   | pop                 edx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d89d4faffff         | lea                 ecx, [ecx - 0x52c]

        $sequence_4 = { 6802000080 ff15???????? 09c0 0f85de000000 8db5fcefffff 8d4dfc 837d0c00 }
            // n = 7, score = 200
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   09c0                 | or                  eax, eax
            //   0f85de000000         | jne                 0xe4
            //   8db5fcefffff         | lea                 esi, [ebp - 0x1004]
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0

        $sequence_5 = { ff35???????? e8???????? ff35???????? ff15???????? c705????????00000000 6a04 }
            // n = 6, score = 200
            //   ff35????????         |                     
            //   e8????????           |                     
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   c705????????00000000     |     
            //   6a04                 | push                4

        $sequence_6 = { b800000000 8a03 c1e804 83f809 7f05 83c030 eb03 }
            // n = 7, score = 200
            //   b800000000           | mov                 eax, 0
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   c1e804               | shr                 eax, 4
            //   83f809               | cmp                 eax, 9
            //   7f05                 | jg                  7
            //   83c030               | add                 eax, 0x30
            //   eb03                 | jmp                 5

        $sequence_7 = { 51 50 ff15???????? 83c40c 58 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   58                   | pop                 eax

        $sequence_8 = { 0f8591000000 50 6a04 6800300000 6800100000 6a00 ff15???????? }
            // n = 7, score = 200
            //   0f8591000000         | jne                 0x97
            //   50                   | push                eax
            //   6a04                 | push                4
            //   6800300000           | push                0x3000
            //   6800100000           | push                0x1000
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_9 = { 8b45f4 8b5df8 c9 c20400 55 89e5 83ec18 }
            // n = 7, score = 200
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules